Hosting companies use CBL and Spamhaus blacklists to block web traffic

Having an IP address that happens to be blacklisted with CBL or Spamhaus can cause a serious headache. Here is a little story about what can happen when your IP address happens to be blacklisted. And how you can easily become collateral damage in something so out of your control.

Blacklisting abuse

Last week, I was unable to access this site. Every page came back with a 404 not found. I was also unable to access cPanel to check the logs. FTP access worked, so was still able to download the logs from there. Turns out that it started several hours before because from that point on I noticed an excessive number of 404's.

After contacting my hosting company they asked me to check my IP address at CBL. It turns out that they are using Spamhaus SBL and XBL to control http (port 80) access to the sites they host. In other words, if your IP address happened to be blacklisted at CBL or Spamhaus, you wouldn't be able to access sites they host.

See, I am on EVDO through Telus Mobility — it's all I can get in my area. My IP address almost never changes because all EVDO users are stuck behind a NAT router from Telus. In itself this is not that big of a deal, other than that certain things don't work that would work for ADSL users (e.g. accessing a server on your LAN directly). But apparently, there is Bad Stuff coming out of that Telus router triggering the blacklisting at CBL or Spamhaus, over and over again.

A helpful fellow at CBL delisted my IP address and wrote to me that their blacklist is intended for SMTP (port 25) only, as it also states in their terms and conditions:

If you want to use the CBL to block protocols other than SMTP on port 25 (ie: IRC), realize this is officially UNSUPPORTED by the CBL team.

We appreciate that this is a useful thing to do, but you MUST NOT mention the CBL as being the source of a block and you should be prepared to provide "first contact" assistance for users encountering a block and potentially whitelisting on your service.

It should be absolutely clear that there will be a potentially large number of affected users who, through no fault of their own, will NOT be able to delist due to NAT, dynamic IPs, or other similar issues. Anyone using the CBL for blocking IRC, blog comments or whatever needs to know that they will get collateral damage and they will either have to manage that themselves with whitelisting or live with it.

And their FAQ states:

I'm having problems with something OTHER than email

The CBL is specifically intended to be used to filter email coming into a mail server from the Internet.

In "tech-jargon", it's intended to be used on email going to your MX, NOT your user's "outbound SMTP server", nor for anything other than email.

The Spamhaus XBL page states something very similar:

DNS-based Blocklists (DNSBLs) such as the Spamhaus XBL are designed only for use on mail servers.

The Spamhaus SBL page also states that this is for use with mail servers.

Hosting company response

My hosting company defended their action by stating that using the CBL/Spamhaus list for web filtering is "useful for webservers too."

I am flabbergasted.

To attempt to make your hosted websites safer is an admirable standpoint. But to bluntly rely on someone's blacklist that is not at all intended for http access filtering is ridiculous. It is a sort of meddling with hosted websites that is borderline ridiculous. Not to mention the fact that I was locked out from all my administrative tools.

Besides, I wonder how effective this is going to be. Personal computers ridden with malware are a problem. But abusing the CBL/Spamhaus blacklists as a hosting company is not going to solve the problem of attacks on hosted sites. Maybe it would be better to educate webmasters that "rent space" at a hosting company to keep their software patched to prevent SQL injection or cross site scripting. Maybe traffic can be analyzed and when requests seem suspicious, these can be redirected (see remote file inclusion). Anything but to bluntly block blacklisted IP addresses.

Telus response

Telus Mobility issues me my IP address. That same address is probably shared with hundreds or thousands, I don't know. So just because some dirt is coming out of that router this address gets blacklisted and I am simply caught in the middle by no fault of my own.

When I asked Telus Client Care for clarification on this, they stated that there are "many" websites that don't allow access from Telus IP addresses. Telus said they can't control access to these sites (that's right, that is up to the hosting company) and that they basically can't do anything, other than to offer me a VPN package for an additional fee (sure) which they can't guarantee will work.

Look ahead

In the mean time, my hosting company was kind enough to disable their blocking, although temporarily. I am sure that their filtering was enabled somewhere before I detected the problem because I have not seen this problem before in the 2 years or so I have been using their services.

However, they are now planning on implementing a CAPTCHA. Blocked IP addresses will then probably be redirected to a page with a CAPTCHA before allowed to proceed to a site. I have no idea how that is going to be implemented, other than that they claim that it is going to be "user friendly."

I am strongly opposed to this whole idea.

It is their right to do what they want. It is then my right as a customer to pick up my data and move it elsewhere. As a matter of fact I am looking at reviews of other hosting companies to see what options I have.

Don't get me wrong, I have always been impressed with the level of customer service. I have also recommended their services numerous times to others. But to keep abusing a CBL/Spamhaus list for something that it so clearly was not designed for is just a blatant disrespect to its affected customers.

In retrospect, this will affect only a small number of visitors to the two sites I have hosted with them, only those whose IP address happens to be blacklisted. But it did affect legitimate potential customers, I could see it in the logs. The whole idea seems like a disaster to me.

On a side note

I have deliberately not (yet) used the name of the hosting company, although you could find out who they are if you wanted to. I want to see where they take this first.

I am not blaming CBL or Spamhaus. For its intended purpose it may work. Mail servers with static addresses can effectively be filtered. Blacklisting of dynamic IP addresses is absolutely useless and causes headaches for poor souls inheriting such listed IP addresses.

I am not blaming Telus for any of this. They own the router through which infected computers on their network access the internet but in all honesty, they don't have anything to do with the blocking of IP addresses. They were helpful so far, although any solution with Telus seems to increase the monthly fees.

I am solely blaming my hosting company for taking such irresponsible action.

Edit August 16, 2009: So far, my hosting company has not yet implemented their ridiculous CAPTCHA feature. Good, I haven't had the time to look at all other options for hosting yet. But I will move my data if I have to. In the mean time, my IP address keeps being blocked on and off at CBL, that is unlikely to change.

Edit August 22, 2010: And now, more than a year later, I am still using the same hosting company. They seem to have abandoned their concept entirely. Good.